CN101436967A

CN101436967A - Method and system for evaluating network safety situation

Info

Publication number: CN101436967A
Application number: CNA2008102407337A
Authority: CN
Inventors: 闫丹凤; 孙其博; 杨放春; 王文彬; 李沁
Original assignee: Beijing University of Posts and Telecommunications
Current assignee: Beijing University of Posts and Telecommunications
Priority date: 2008-12-23
Filing date: 2008-12-23
Publication date: 2009-05-20

Abstract

The invention relates to a method for evaluating the security situation of a network and a system thereof. The system has a two-surface three-level framework and is provided with a public service surface and a service management surface for executing uniform coordinated management on each functional module of the system; according to a service logic processing flow, the system is divided into three levels: an acquisition level, an analysis level and an exhibition level for completing four evaluating operations of assets, frangibility, threat and security situation; the invention is based on the characteristic of service operation in the network, combines the prior risk evaluation method, the prior flow and the prior security detection tool and provides a set of a novel dynamic real-time evaluation method. The system can analyze the assets and service of the network and the risk of the whole network and carries out the evaluation of the security situation. The system can provide the security state of the whole network in macroscopy, can deepen to specific service and assets and know the specific security problem, thereby effectively helping network security personnel to analyze the root of the security problem and assisting to provide a security solution proposal and implement a defense measure.

Description

A kind of network security situation evaluating method and system thereof

Technical field

The present invention relates to a kind of dynamic, extendible, network security situation evaluating method and system thereof, belong to the network security technology field.

Background technology

Along with the continuous expansion of network size, present network has been played the part of more and more important role in social life; Simultaneously, network security problem also becomes increasingly conspicuous, and becomes the key issue that network service and application further develop the solution of needing badly gradually.In addition; along with network intrusions and attack development towards trend such as distribution, scale, complicated, indirectization; the threat of formations such as internet worm and Dos/DDos attack and the loss that causes are increasing, and a lot of scientific research personnel and mechanism have come to realise and only depended on existing network security product and can't monitor in real time whole network security situation.

Network safety situation assessment be meant to network carry out omnibearing security postures element extraction, current situation is analyzed and is calculated, and prediction network safety situation.So-called situation is a kind of state and trend, and it is the notion of the integral body and the overall situation, and any single circumstance or state all can not be referred to as situation.

After Tim Bass has proposed the network safety situation perception concept, proposed intrusion detection framework immediately again, and this framework has been used for intruding detection system of future generation and network security situation sensing system based on the multi-sensor data fusion.Adopt this framework can realize functions such as the identification of the detection of intrusion behavior, intrusion rates calculating, invador's identity and invador's behavior, situation assessment and threat assessment.Network safety situation perception instrument mainly comprises: the Stephen Lau of U.S. Lao Lunsi Berkeley National Laboratory is in " TheSpinning Cube of Potential Doom " system of exploitation in 2003; The SILK that the leader's of Software Engineering Institute, Carnegie Mellon University CERT/NetSA develops; The ongoing SIFT project in American National advanced security system research center.Other research institutions also have U.S. Department of Defense's Computer Security Center, USAF, Canadian national defence Research and Development Center, and technology institute of Swiss Confederation etc.

In view of the massive losses that present situation, development and invasion and the attack of current network causes, department of government concerned has recognized the necessity and the urgency of carrying out the network safety situation evaluation studies.U.S. Department of Defense has just comprised the subsidy to the network safety situation evaluation item in financial budget report in 2005.U.S.'s advanced studies and development agency spell out the goal in research and the key technology of network safety situation perception beforehand research in 2006 in the works.Goal in research is to provide easy visit, intelligible Information Assurance data with visual means for different policymaker and analyst---the information of attack and knowledge, leak information, defensive measure etc.; Key technology comprises data fusion technology, data visualization technology, network-management tool integrated technology, real-time leak analysis technology or the like.

The domestic research to the network safety situation assessment of China is just at the early-stage.The Feng Yi of the National University of Defense Technology is from the angle of my army's information and network security, set forth necessity and importance that my army actively develops the network safety situation evaluation studies, pointed out two key technologies---multi-source sensing data integration technology and data mining.Domestic other correlative study mainly waits and carries out around network safety situation assessment, large scale network early warning.Aspect the network safety situation assessment, Xi'an Communications University has realized the integrated network safety monitor supervision platform based on IDS and fire compartment wall; The network safety situation evaluating system of a cover based on LAN developed in Mailbox Of Technology University Of Beijing's breath safety and countermeasure techniques research center; At the large scale network warning aspect, people such as the Hu Huaping of the National University of Defense technology have proposed towards the basic framework of the intrusion detection of large scale network and early warning system and key technology and difficult point problem.

The network safety situation assessment comprises following content: (1) extracts each situation key element relevant with network security under the network environment of setting, be used for the preparation of safety analysis and prediction.(2) reason and influence power that analysis incident takes place are graded to incident, and are calculated the security postures of whole network.(3) form visual network synthesis situation map and situation analysis report.The factor that influences network security comprises assets importances and value, fragility, threat, and wherein, assets are the basic elements that constitute Network, is the basic module of whole network.Fragility may be threatened to utilize the hurtful weak link of assets, and threat is a kind of possibility factor that assets is caused potential destruction.Threat may utilize fragility that networked asset is damaged.The network safety situation assessment is assessed network safety situation according to above-mentioned each factor that influences network security exactly and is predicted.

From above elaboration, be not difficult to find that all also there are some problems in domestic and international research: (one) existing instrument real-time is not strong: network safety situation is that the network security situation is monitored in real time, but the ubiquitous problem of existing monitoring system is that real-time is not strong.(2) data source is single: the correlative factor complexity of network safety situation, and that present data source is chosen is too single.(3) demonstration of security postures does not give top priority to what is the most important, and is too common.As for certain network, what the client may pay close attention to most is the direct losses that this network generation security incident will cause, and not only just loosely pays close attention to the situation of whole network.(4) extraction of risk data is too oversimplified, and for example only pays close attention to threat etc.

Along with development of internet technology, network trends towards adopting unified carrying mechanism gradually, is about to existing diverse network and all is fused on the unified bearer network, thereby realize unified, professional presentation mode easily and efficiently.Nature will be introduced new functional entity and new agreement like this, has also introduced new potential safety hazard simultaneously.Therefore, how huge at this structure, novel and complicated network has become very necessary and urgent scientific research focus to its assessment of carrying out network safety situation, also is the new problem paid close attention to of scientific research personnel in the industry.

Summary of the invention

In view of this, the purpose of this invention is to provide a kind of network security situation evaluating method and system thereof, the operation characteristic of evaluating system of the present invention business Network Based, in conjunction with existing methods of risk assessment, flow process and safety detection instrument, novel, dynamic, the real-time appraisal procedure of a cover has been proposed.Based on this evaluating system and method, can realize the risk of the assets in the network, business and whole network is analyzed, and carry out the security postures assessment of continuation.Evaluating system of the present invention not only provides the safe condition of overall network on macroscopic view, can also go deep into concrete business and assets, understands its concrete safety problem; Thereby can effectively help the root place of network security man analysis safety problem, and can assist the proposition security solution and implement defensive measure.

In order to achieve the above object, the invention provides a kind of network security situation evaluating method and system thereof, it is characterized in that: described system is the two sides three-tier architecture, be provided with public service face and the system management face of each functional module in this system being carried out unified coordination and administration, and three levels that are divided into according to the business logic processing flow process: acquisition layer, analysis layer and presentation layer are used to finish four evaluation operation of assets, fragility, threat and security postures; Wherein:

Acquisition layer, formed by the different sensors group of gathering assets fragility, threat and assets information respectively with by the sensor management module that a plurality of sensor management devices are formed, so that utilize sensor acquisition relevant rudimentary information and transducer is managed and information is carried out format analysis processing according to user's request;

Analysis layer is the Core Feature layer of system, is responsible for comprise assets, threat and the fragility risk factors data of acquisition layer collection are carried out the on-line analysis, extracts risk case, and it is carried out real-time assignment and calculating, the prediction security postures; Perhaps the threat data of gathering is carried out association analysis, with the new threat of early warning net, the incidence relation between the concurrent existing network network attack; Comprise threat assessment module, vulnerability assessment module, assets value computing module and risk factors administration module and security postures evaluation module that the data of above-mentioned module collection are carried out the real-time analysis processing, and the threat association analysis module that is used for off-line analysis;

Presentation layer, be used for by patterned intuitive manner show networked asset, network topology, fragility that network exists, the information of the threat that faces and the security postures of network, comprise; Assets information display module, fragility report display module, threat are reported display module, are threatened related display module, network topology display module and security postures display module;

Public service face is the public service supplier in when operation of system, is responsible for providing communication service, timing service and the log services of data, services, each intermodule of system; Comprise: for intercommunicating communication service module is provided between each layer, the timing service module of maintenance system clock, for the data service module of transfer of data, storage and data management is provided between each layer, and provide the log service module that comprises the self-protection under fire of register system operation, user login operation, system and other situations;

The back-up environment that system management face carries out the coordinating and unifying when moving as system, be provided with following functional module: the user management module of finishing the logging in system by user authentication, set up New Account, revise password, accept the assessment strategy of customization, and the policy management module of the cooperation of each intermodule being controlled according to this strategy, and the security postures evaluation item controlled and adjust, promptly comprise starting and stop situation evaluation item, adjustment data acquisition strategy, the task management module of the relevant parameter of data analysis is set.

The three class sensor groups of gathering assets information, assets fragility and threat respectively of described acquisition layer setting, gather the Back ground Information of assets required in the risk assessment process, fragility and threat respectively, these sensor groups are deployed in respectively on the main frame or switch/router in the network, by scanning or monitor the data of obtaining based on main frame or network; The transducer that wherein is deployed in main frame is responsible for gathering main frame assets information and assets vulnerability information thereof; The transducer that is deployed on the switch/router is used for the collection network threat information;

Sensor management module in the acquisition layer is provided with a plurality of sensor management devices unit, message queue and message processing unit and sensor management device registering unit, wherein each sensor management device unit is as the standalone feature entity in the sensor management module, is the type transducer give information transfer and management service with the transducer binding of particular type; Message queue and message processing unit are responsible for the message of sensor acquisition is stored and handled; Sensor management device registering unit is used to realize the extensibility of sensor management device, so that discern mutually by the sign ID of each sensor management device, to realize the extensibility of system.

The function of each module in the described analysis layer is respectively:

The threat assessment module is used for according to threatening event database that the threat incident that collects is assessed, and the degree that network security is impacted according to the threat incident is composed with corresponding numerical value again; According to the difference of the fragility of assets, each threatens the assignment of the expert database that assignment utilizes also different;

Vulnerability assessment module is used for according to the fragility database vulnerability parameter that evaluation object collects being assessed, and carries out assignment by the degree of danger of coupling fragility in public leak and exposure database CVE;

The assets value computing module adopts layered mode that assets and professional value are carried out analysis-by-synthesis, calculates assets value according to the intrinsic value of assets, the attached value of its bearer service and importance and other correlative factors of bearer service again;

The risk factors administration module, be responsible for the result after threat, fragility and the assets assessment is analyzed, extract the part that wherein network, business and assets is had harm, and will threaten related with the fragility work, the risk case that extraction may cause security threat to network calculates for the security postures evaluation module;

The security postures evaluation module, the risk case that management provides according to risk factors calculates the network risks value of current time in real time according to risk situation computation model, and predicts the development trend of network risks value;

Be used for off-line analysis and handle the threat association analysis module that threatens the event correlation relation, be used to analyse in depth the threat incident, rely on and threaten association knowledge storehouse and known threat incidence relation, find the incidence relation between the current threat incident, generate associated diagram and, understand the threat incident for the analyst according to the new threat incident of this associated diagram prediction.

Described presentation layer comprises following functional module: the assets information display module of showing assets information, assets loaded service information and other important information of assets in the network; Show the network overall structure and on this topological diagram, represent the network topology display module of each assets security situation with intuitive manner with different color; Analyze assets fragility from many aspects and this fragility is carried out statistical analysis, and the fragility report display module that the fragility remedial measure is provided; Report display module to the threat that the suffered threat incident of network, business or main frame is showed; The network safety situation value is gathered, show the security postures display module of network safety situation in the multi-level mode of various visual angles; The threat incident is analysed in depth, excavated the incidence relation between the threat incident in the network, and predict the related display module of threat of new threat incident.

In order to achieve the above object, the present invention also provides the method that adopts above-mentioned network safety situation evaluating system assessment network safety situation, it is characterized in that: described network safety situation assessment is assessment and the prediction to network security risk situation, the overall operation of system Network Based comprises a plurality of different business, the operation of each business needs the support of a plurality of networked assets, and each networked asset can support the characteristics that a plurality of business operate simultaneously simultaneously, and the focus paid close attention to of people is the normal operation whether risk case in the network can influence each business; Therefore network risks is to be calculated by the weighting sum of each professional risk and its business importance, promptly is that security postures is analyzed and assessed at the center with the business; Described network security situation evaluating method is three kinds of different information of gathering earlier assets, fragility and threat respectively, calculates assets value according to assets information again, simultaneously vulnerability information and threat information is carried out real-time risk analysis; Extract the risk factors in the network then and it is managed; By the risk of assets, business and whole network in the association analysis computing network of historical data and security incident, obtain the general safety situation of network at last.

Described method comprises following operating procedure:

(1) system provides user interface, and the user sets up evaluation tasks according to own demand;

(2) system gathers corresponding data respectively according to the strategy of evaluation tasks, carry out assets value, fragility assignment respectively and threaten the calculating of assignment, analyze risk factors wherein again and extract risk case, then according to risk case assessment and computing network security postures, result to threat analysis analyzes again simultaneously, excavates incidence relation inherent between the Cyberthreat;

(3) assessment result that obtains after evaluation tasks is handled of system is showed with multi-form, the system log (SYSLOG) operations of being correlated with.

Described step (1) further comprises following operation:

(11) after system provided user's login interface and user to input user name and password, user management module was carried out authentication and return results to it;

(12) system provides the user input interface, is comprised the specifying information of evaluation tasks of assets parameter, the data analysis parameter of evaluation object network, evaluation object by user input;

(13) the evaluation tasks information of importing according to the user, policy management module is decomposed into each scan task that system can discern with this evaluation tasks, and relevant information is forwarded to the acquisition layer and the analysis layer of system by the intercommunication mechanism that communication management module provides.

Described step (2) further comprises following operation:

(21) the sensor management module of acquisition layer receives the relevant information of evaluation tasks, according to strategy matching it is decomposed, and gathers the relevant information of assets, fragility and threat respectively by various transducers, and these transducers are carried out thread monitor;

(22) after the initial data that obtains of the various sensor acquisition of acquisition layer is carried out format conversion by the sensor management device, be sent to analysis layer;

(23) after analysis layer obtains corresponding data that various transducers send here, after carrying out assets value, fragility assignment respectively and threaten the computing of assignment by assets value computing module, vulnerability assessment module and threat assessment module; The result that will obtain offers risk factors administration module and security postures evaluation module again, by the latter it is carried out the analysis and the extraction of risk case, and utilizes computation model to carry out the real-time assessment of network safety situation;

(24) threaten the association analysis module that off-line analysis is carried out in the association that threatens incident, and analysis result is stored in the database; This step is a selectively actuatable.

In the described step (23), the operation of security postures evaluation module real-time assessment network safety situation further comprises following content:

(231) according to the computation model of asset risk: R _a=A * ∑ { T _x* V _y, in the formula, A is the value of assets a, T _xFor certain threat that threatens source and influence degree to give that suffers according to assets a is worth V _yBe certain fragility value that assets a is had, a, x, y are respectively the sequence numbers of assets, threat and fragility; Calculate each asset risk respectively;

(232) according to the computation model of business risk: R _s=∑ { A _z* ∑ T _x* V _y, in the formula, A _zCertain assets value that comprises for this business; T _xBe these assets A _zThe threat that suffers certain to threaten source and influence degree to give is worth; V _yBe these assets A _zThe value of certain fragility that is had, z, x, y are respectively the sequence numbers that supports certain assets, threat and the fragility of this business, calculate each business risk respectively;

(233) be the computation model of the weighting sum of each professional risk and the importance that each is professional wherein according to the security risk of whole network, calculate the network risks value of whole system: R _Total/=∑ { C _i* R _i, in the formula, R _iBe the business risk value of certain professional i wherein, C _iBe the importance information assignment of certain professional i, i is each professional sequence number of moving in the network.

Described asset risk is meant certain assets that exists in the network, and the target that has fragility and a Cyberthreat when these assets is created in the weighting numerical value of the risk case on these assets during for these assets at the fragility of these assets;

Described business risk is meant professional in running, at the operation of this business with carry the possibility of this professional network equipment occurrence risk incident and the influence that may cause; Business risk is following two variablees: the function of the issuable influence in back takes place in possibility that accident takes place and accident, and the former is the possibility that the threat source utilizes a potential fragility, and the latter is the influence that accident produces network security; Value-at-risk is the risk numerical value under all threats that faced;

Described network risks is meant in the whole network, at the assets of network, and the possibility of the risk case that the business of moving in the network takes place and the influence that may cause.Thereby, realize unified, professional presentation mode easily and efficiently.

The present invention is a kind of network security situation evaluating method and system thereof, as everyone knows, the network security tool of existing various maturations can capture the security information in the TCP/IP network, because networks development trend is that existing diverse network all is fused on the unified bearer network, and adopt IP-based packet network architecture, therefore the evaluating system of network safety situation of the present invention is to make up on the basis of integrated existing ripe network security tool, the main feature of this system is to adopt the architectural framework on three layers on two sides to finish four operating processes, it can contain a plurality of links in the network safety situation analytic process, and passes through the fail safe of log services enhanced system itself.Whole system operation clear logic, smoothness have reduced the degree of coupling between each layer of system.This evaluating system adopts the distributed system architecture of CORBA, drop to the coupling between each software function module of each level of system and each aspect minimum, and the software function module of each layer both can be distributed on the different physical platforms, also each layer can be distributed in different regions, increase the autgmentability and the flexibility of system.In addition, simple, the easy row of the operating procedure of appraisal procedure of the present invention, can either realize comprising that the existing diverse network and the Next Generation Telecommunication Networks in future or the safe condition of other networks provide real-time, dynamic, comprehensive online Risk Assessment Report, the related assessment report of risk of off-line also can be provided, have good actual application and be worth.

Description of drawings

Fig. 1 is that the framework of network safety situation evaluating system of the present invention is formed schematic diagram.

Fig. 2 is the network design schematic diagram of network safety situation evaluating system of the present invention.

Fig. 3 is that the sensor management modular structure in the evaluating system of the present invention is formed schematic diagram.

Fig. 4 is that the analysis layer functional module structure in the evaluating system of the present invention is formed schematic diagram.

Fig. 5 is the assets information acquisition process schematic flow sheet in the evaluating system of the present invention.

Fig. 6 is that the threat association analysis modular structure in the evaluating system of the present invention is formed schematic diagram.

Fig. 7 is that the presentation layer structure in the evaluating system of the present invention is formed frame diagram.

Fig. 8 is the operational flowchart that evaluating system of the present invention carries out the security postures assessment.

Fig. 9 is the Risk Calculation hierarchical structure schematic diagram of evaluating system of the present invention.

Figure 10 is the association analysis figure that the threat association analysis showed in the system embodiment of the present invention is generated.

Figure 11 is the security postures block diagram schematic diagram of showing in the system embodiment of the present invention.

Figure 12 is the security postures broken line graph schematic diagram of showing in the system embodiment of the present invention.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.

Explain the definition of the some terms among the present invention earlier: assets are the tangible and intangible assets that comprise information equipment, information, production or service ability and social prestige thereof that accumulate by informatization; The assets value is that big more its assets of explanation of this numerical value are important more according to the importance and the numerical value that estimates of other correlative factors of assets in business.Fragility is meant information or assets and safeguard procedures thereof deficiency, leak or the weakness on safety guard, and the fragility value is the fragility numerical value of assessing according to the leak that assets have been found, and big more its assets of explanation of this numerical value are important more; Threat is the infringement that the safety of the information of each unit or assets may be subjected to, threat has a plurality of attributes: the main body of Cyberthreat, ability, resource, motivation, approach, possibility and consequence thereof, the threat value is to come the suffered threat numerical value of appraise assets according to the multiple factor that comprises loss, attack probability of happening and assets value itself that external attack causes assets, and big more its assets of explanation of its numeral are important more.

Referring to Fig. 1, introduce the composition framework of network safety situation evaluating system of the present invention, the Core Feature of this evaluating system is that objective network is carried out the security postures assessment, according to the key element of risk assessment, should provide the function of assets value calculating, threat analysis, vulnerability analysis and security postures assessment.Therefore, system of the present invention is made up of the structure system on three layers on two sides: public service face and the system management face of each software function module in this system being carried out unified coordination and administration, and three levels that are divided into according to the business logic processing flow process: utilize sensor acquisition relevant rudimentary information according to user's request, transducer is managed, and the acquisition layer that the information of gathering is carried out preliminary treatment, respectively assets information in the network is worth, the threat that fragility and system are subjected to is analyzed and is calculated, computing network security postures and the analysis layer of association analysis of impending again, and to the assets information and the topology information of network, vulnerability information that exists in the network and threat information, the security postures of network carries out the presentation layer that many viewpoints multi-angle represents, and is used to finish assets, fragility, the function of four evaluation operation flow processs of threat and security postures.Make a concrete analysis of each layer structure below:

Acquisition layer is provided with collection network assets fragility, Cyberthreat and the different sensors group of networked asset information and the sensor management module of being made up of a plurality of sensor management devices respectively.The effect of sensor groups mainly is to gather required three class basic datas such as assets, fragility and threat in the risk assessment process.Sensor groups is mainly by being deployed in the network main frame assets or the enterprising line scanning of switch or monitoring and obtain data.The sensor management module is responsible for the data that receiving sensor sends, and the startup of the performed acquisition tasks of control transducer, closes, and the data of gathering are carried out format conversion processing.

Referring to Fig. 2, introduce evaluating system of the present invention and reach the wherein deployment scenario of sensor groups in network of acquisition layer: this system is provided with a plurality of servers, wherein acquisition layer server, analysis layer server and presentation layer server are realized the correlation function of acquisition layer, analysis layer and presentation layer respectively, and public service and system management server are used to the function of the public service face of realizing and system management face.Sensor groups is deployed in respectively on the main frame or switch/router in the network, is divided into based on main frame or based on network transducer, by scanning or monitor the data of obtaining based on main frame or network.The transducer that wherein is deployed in main frame is responsible for gathering main frame assets information and assets vulnerability information thereof; The transducer that is deployed on the switch/router is used for the collection network threat information; The sub-sensor management module of disposing in catenet is used to finish the layering deployment of network sensor group.Acquisition layer is to utilize sensor acquisition relevant rudimentary information and transducer is managed and information is carried out format analysis processing according to user's request.

Referring to Fig. 3, introduce pith in the acquisition layer-sensor management module, be used for the unified management sensor groups, the data that the sending and receiving sensor group is gathered, and the data of coming on the various sensor acquisition are handled.It is provided with a plurality of sensor management devices unit, message queue and message processing unit and sensor management device registering unit, wherein each sensor management device unit is as the standalone feature entity in the sensor management module, is the type transducer give information transfer and management service with the transducer binding of particular type.If add new transducer, can write new sensor management device and handle, thereby improve the autgmentability of system greatly.This autgmentability realizes by sensor management device registry unit and message queue unit.It is the key component of sensor management device that sensor groups inserts, and access way is the communication mechanism of research tool inside.If instrument has had internal communication protocol using, this instrument is exactly controlled, only needs to adopt a sensor management device to encapsulate its internal agreement and manages and get final product; If instrument does not have internal communication protocol using, can only be at local record data or record data not, then this instrument is uncontrollable, also will write corresponding aid for it and carry out the remote transmission service.Sensor agent then is used to act on behalf of the data collection and administration function of carrying out transducer, and except processing command and data, agency's design can be added storage/query function, to make things convenient for enquiry of historical data and to analyse in depth.Message queue and message processing unit are responsible for the message of sensor acquisition is stored and handled.Evaluating system of the present invention is also used for reference the general correspondence transfer principle and has been designed a cover message format, and the message field in this message format is only stored source and the purpose module name that sends message, the concrete message content of encapsulation in message body.Use same set of message can handle multiple message body like this.Sensor management device registering unit is used to realize the extensibility of sensor management device, so that discern mutually by the sign ID of each sensor management device, and the extensibility of the system of realization.It is related with concrete transducer wherein to identify ID, and registers record by the sensor management device.The all the sensors manager all can be at the sign ID of sensor management device registering unit registration oneself when starting.Message queue is handled the module of then searching sign ID correspondence in sensor management device registering unit, and handles to forwards this module.

Referring to Fig. 4, introduce the core-analysis layer of system of the present invention, comprise threat assessment module, vulnerability assessment module, assets value computing module and risk factors administration module and security postures evaluation module that the data of above-mentioned module collection are carried out the real-time analysis processing, and the threat association analysis module that is used for off-line analysis.Analysis layer is responsible for comprise assets, threat and the fragility risk factors data of acquisition layer collection are carried out the on-line analysis, the analysis and the management of risk factors are provided, and therefrom extract risk case, again it is carried out real-time assignment and according to the Risk Calculation model, the value-at-risk of computing network, business and assets and prediction security postures; Perhaps adopt off-line analysis: the threat data of gathering is carried out association analysis, with the new threat of early warning net, the incidence relation between the concurrent existing network network attack.

Referring to Fig. 5, the assets value computing module of system of the present invention is to calculate assets value according to assets information and this assets loaded service.For realizing the automation collection of assets information, earlier by artificial input relevant information, evaluating system of the present invention then scans and calculates the assets and the last loaded service thereof of disposing in the real network by the assets transducer, provide result and prompting again, the last artificial final information of determining these assets.After the affirmation, according to the assets value computational methods that system of the present invention adopted it is carried out assignment again.Wherein the on-line analysis engine is used to finish the real-time analysis to data, comprises assets value computing module, vulnerability assessment module, threat assessment module, risk factors administration module and security postures evaluation module.

Specify the function of each module in the analysis layer below respectively:

The threat assessment module is responsible for adopting authority's threat event database that the threat incident that collects is analyzed and assessed, existing many authoritys' intrusion detection instrument all has corresponding assignment to every kind of actual threat type, threaten assignment according to these, carry out assignment in conjunction with the type that threatens.The degree that network security is impacted according to the threat incident is composed with corresponding numerical value again; According to the difference of the fragility of assets, each threatens the assignment in the expert database that assignment utilizes also different.After assignment is finished, Cyberthreat information assigned result deposits in the risk factors administration module, because threat information is constantly to change, therefore at risk factors administration module buffer memory after a period of time, the threat information result that buffer memory gets off in the time writes in the database with this section.

The responsible network vulnerability information that evaluation object is collected of vulnerability assessment module is assessed with assignment and is calculated.Fragility is the basic security attribute of evaluation object, and the foundation that assignment is calculated is that the degree of danger assignment data of being stored in the fragility database of public leak and exposure database CVE foundation is carried out assignment.After assignment is finished, assigned result is submitted to the risk factors administration module, and the fragility data structure after will finishing writes database.

The assets value computing module adopts layered mode that assets and professional value are carried out analysis-by-synthesis, calculates assets value according to the intrinsic value of assets, the attached value of its bearer service and importance and other correlative factors of bearer service again.

The risk factors administration module is responsible for safeguarding assets, network vulnerability and Cyberthreat information in internal memory, and extract the part that wherein endangers assets according to the incidence relation of assets and fragility, threat, and will threaten related with the fragility work, risk factors and risk case that extraction may cause security threat to network carry out real-time Risk Calculation and prediction for the security postures evaluation module.The risk factors administration module is mainly preserved the assigned result of the network vulnerability after last scan is finished.Because the real-time of threat information, and the characteristic of security postures computing formula need the Cyberthreat assigned result in the risk factors administrative unit storage setting-up time.The notion of window is proposed thus.The risk factors administration module need be preserved the data in the window ranges, and the edge of window is the current time, and window size then is set by the user, promptly the threat assignment of preserving in the window be from the current time forward all in certain time period threaten assignment.The length of this time period is the size of window.

The security postures evaluation module is responsible for extracting the part that wherein network, business and assets is had harm according to the result after threat, fragility and the assets assessment is analyzed, and offers the security postures assessment and calculates.The risk factors management will threaten to be done related with fragility, the risk case that extraction may cause the risk case risk factors administration module of security threat to provide to network, calculate assignment, the assignment of fragility, the assets value of current threat incident in real time respectively according to risk situation computation model, and then calculate the network risks value of current time, and according to the analysis of risk factors administration module, isolated threat, fragility, assets information are integrated, calculate and predict the developing state of whole network risks value according to the method for preamble proposition.The computational methods of this module see aftermentioned for details.

Referring to Fig. 6, the threat association analysis module of the off-line analysis that is used for finishing the security postures assessment is described, it mainly carries out association analysis to the threat incident that occurs in the network, be used to analyse in depth the threat incident, and dependence threatens association knowledge storehouse and known threat incidence relation, find the incidence relation between the current threat incident, finally generate associated diagram and predict new threat incident, further understand the threat incident for the analyst.

Because the information of fragility and assets is all relatively stable, and threat information is dynamic frequent variations.Threat information derives from the single threat incident that each intrusion detection instrument provides, because these incidents all isolate, so evaluating system of the present invention has designed threat association analysis module, be used to study and resolve the association between each isolated threat incident, and find the cause of the threat incident that may cause.

Threaten the association analysis module to be provided with a poll process, the threat alert data in this poll process is gathered during this period of time at set intervals from acquisition layer leaves in the database.For the alert data in the database, be converted into senior warning form by the alarm pretreatment unit earlier, the warning of this form has increased the result and the condition thereof that may cause, so that carry out association analysis.The alarm association coupling is summarized the factor in the senior warning with the associated diagram generation unit again, and the relation between each warning is derived in utilization threat association knowledge storehouse, forms associated diagram again, reaches the purpose of prediction new threat.

Presentation layer is used for showing networked asset, network topology, fragility and the different information of threat and the security postures of network that network exists by patterned intuitive manner, comprises; Assets information display module, fragility display module, threaten display module, threaten related display module, network topology display module and security postures display module;

Referring to Fig. 7, introduce to adopt the presentation layer of browser/server framework, be used for showing networked asset, network topology, fragility and the different information of threat and the security postures of network that network exists by patterned intuitive manner, comprise with lower module;

The assets information display module of showing assets information, assets loaded service information and other important information in the network; This module is enumerated other essential informations of all assets, assets value, assets loaded service and assets in the current network with report form, can find concrete assets for system or user in time, exactly when the occurrence risk incident, and the basic condition of assets is had clearly understanding.

Show the whole topology of network and on this topological diagram, represent the network topology display module of each assets security situation with intuitive manner with different color, this module generates network topology structure figure by the data that the topologically sweeping instrument obtains, process thereon based on this network topological diagram again, so that can be, and carry out the branch colour code according to extremely low, basic, normal, high, high risk class from network topology structure showing on the macroscopic view.

Analyze assets fragility from many aspects and this fragility is carried out statistical analysis, and the fragility report display module that the fragility remedial measure is provided.This module major function is by calling the vulnerability information in the database, and it is showed and fragility report is provided, this report comprises the means to save the situation of fragility title, fragility place assets information, fragility, the probability that fragility is utilized, and the degree of danger of fragility.Fragility report display module also carries out statistical analysis with the form of cake chart, block diagram to the fragility of assets in the network, shows vulnerability information in mode efficiently.

To suffered threat incident of network, business or main frame and threat report display module that these threat incidents are showed.The major function that threatens the report display module to finish provides the threat report, and this report comprises threat title, threat source and threatens information such as purpose, threat intensity.Threatening the report display module also identical threat to be added up, is that the attribute conditions analysis threatens incident with threat source, threat purpose.

The network safety situation value is gathered, show the security postures display module of network safety situation in the multi-level mode of various visual angles.

The threat incident is analysed in depth, excavated the incidence relation between the threat incident in the network, and predict the related display module of threat of new threat incident.

Each software function module above-mentioned at all levels in the evaluating system of the present invention all must rely on public service face and system management face to carry out the coordinating and unifying.Wherein public service face is the public service supplier in when operation of system, is responsible for providing communication service, timing service and the log services of data, services, each intermodule of system.The communication service module of the intercommunication mechanism that provides between each layer is provided, the timing service module of maintenance system clock, this timing service module is clock of system's operation maintenance, with the selecting system time as between the whole system three-decker synchronously, and provide the unified time management for task executions.The data service module that carries out transfer of data, storage, data management between each layer is provided, this module is the database of system maintenance, also be the concentrated area of all data of system, the result of on-line analysis, off-line analysis will deposit this database in, for calling of presentation layer.And provide the self-protection under fire of register system operation, user login operation, system and other situation log service module; this module adopts ripe log-file technology; in other each modules of system, add relative recording information; and carry out log management by log service module and operate, as inquiry, storage, deletion journal entries.

The back-up environment that system management face carries out the coordinating and unifying when moving as system, be provided with following functional module: the user management module of finishing the logging in system by user authentication, set up New Account, revise password, this module is safeguarded the user data of login system, user identity is differentiated, and provided subscriber management function for the keeper.User management module provides the interface alternation of user and system.Accept the assessment strategy of customization, and the policy management module of the cooperation of each intermodule being controlled according to this strategy, this module adopts corresponding strategy (as frequency acquisition of system acquisition layer sensor groups etc.) to manage in the task implementation, though this module is logically separated with the task management module, plays a role simultaneously in implementation procedure.The user need be configured respectively task implementation strategy and system's operation strategy when the task of submission to.And the security postures evaluation item controlled and adjust, promptly comprise and start and stop situation evaluation item, adjustment data acquisition strategy, the task management module of the relevant parameter of data analysis is set, this module includes the particular content that can operate after user's login: comprise the start and stop of situation evaluation item, the adjustment of data acquisition strategy, the configuration of data analysis relevant parameter etc.Evaluating system of the present invention is coordinated the work of other each modules by this module, and the running status of other all modules all is to safeguard the concurrent order of losing one's life by this module.

Introducing the present invention below uses the network safety situation evaluating system to assess the method for network safety situation, as everyone knows, the Core Feature of evaluating system of the present invention is objective network to be carried out the assessment and the prediction of security risk situation, according to the key element of risk assessment, system must provide the function of assets value calculating, threat analysis, vulnerability analysis and security postures assessment.In view of the overall operation of network system comprises a plurality of different business, the operation of each business needs the support of a plurality of networked assets, and each networked asset can support the characteristics that a plurality of business operate simultaneously simultaneously, and the focus paid close attention to of people is the normal operation whether risk case in the network can influence each business; Therefore network risks is to be calculated by the weighting sum of each professional risk and its business importance, promptly is that security postures is analyzed and assessed at the center with the business.Therefore, network security situation evaluating method of the present invention (referring to Fig. 8) is three kinds of different information of gathering earlier assets, fragility and threat respectively, calculates assets value according to assets information again, simultaneously vulnerability information and threat information is carried out real-time risk analysis; Extract the risk factors in the network then and it is managed; By the risk of assets, business and whole network in the association analysis computing network of historical data and security incident, obtain the general safety situation of network at last.

This method comprises following operating procedure:

Step 1, system provide user interface, and the user sets up evaluation tasks according to own demand.The concrete operations content of this step is:

Step 2, system gather corresponding data respectively according to the strategy of evaluation tasks, carry out assets value, fragility assignment respectively and threaten the calculating of assignment, analyze risk factors wherein again and extract risk case, then according to risk case assessment and computing network security postures, result to threat analysis analyzes again simultaneously, excavates incidence relation inherent between the Cyberthreat.

According to the basic procedure and the key element of network safety situation assessment, and the definition of network safety situation, the idiographic flow of this key operation step in detailed description the inventive method.The network safety situation assessment is the assessment to network security risk situation, and main three elements are respectively assets, threat and fragility, and system obtains the basic data of above-mentioned three elements by the sensor groups of data acquisition module.Wherein asset data is collected by the assets transducer, and the assets value computing module of giving analysis layer calculates the value of assets; Threat and fragility are respectively by the threat assessment module and the vulnerability assessment module that threaten transducer and fragility sensor acquisition data and give analysis layer, unifying to transfer to the risk factors administration module then stores and manages, again by the security postures evaluation module in conjunction with assets information and risk elements, calculate each value-at-risk in real time, and draw the current safety situation value of evaluation object network.

Wherein asset risk is meant certain assets that exists in the network, and the target that has fragility and a Cyberthreat when these assets is created in the weighting numerical value of the risk case on these assets during for these assets at the fragility of these assets.Business risk is meant professional in running, at the operation of this business with carry the possibility of this professional network equipment occurrence risk incident and the influence that may cause; Business risk is following two variablees: the function of the issuable influence in back takes place in possibility that accident takes place and accident, and the former is the possibility that the threat source utilizes a potential fragility, and the latter is the influence that accident produces network security; Value-at-risk is the risk numerical value under all threats that faced.Network risks is meant in the whole network, at the assets of network, and the possibility of the risk case that the business of moving in the network takes place and the influence that may cause.

Because the data acquisition of network essential information is to change constantly, system of the present invention can catch these in real time and change, and in time reflects the security postures that system is current, the situation assessment that continues.This step concrete operations content is:

(22) after the initial data that obtains of the various sensor acquisition of acquisition layer is carried out format conversion by the sensor management device, send analysis layer to;

Referring to Fig. 9, introduce in this step (23) the concrete operations content of security postures evaluation module real-time assessment network safety situation:

(233) be the meter anomalous mode type of the weighting sum of each professional risk and the importance that each is professional wherein according to the security risk of whole network, calculate the network risks value of whole system: R _Total=∑ { C _i* R _i, in the formula, R _iBe the business risk value of certain professional i wherein, C _iBe the importance information assignment of certain professional i, i is each professional sequence number of moving in the network.

The assessment result that step 3, system obtain after evaluation tasks is handled shows with multi-form, the system log (SYSLOG) operations of being correlated with.

The present invention has carried out implementing test, and test is successful, has realized goal of the invention, below brief description implement some situations of test:

Referring to Figure 10, this figure is an evaluating system of the present invention when implementing to test, and one that wherein threatens the association analysis module to generate threatens associated diagram.Ellipse representation Cyberthreat alert event among the figure is represented incidence relation between each threat incident by arrow.The 71st, in all alarms that collect in this l-G simulation test of first left ellipse representation is called the alarm of " ICMP PING NMAP ".Arrow among the figure from A to B is represented to alarm the prerequisite that A is the generation of alarm B, and alarm B is the consequence of alarm A.

Referring to Figure 11, this figure is the asset risk situation that the security postures display module in the evaluating system of the present invention adopts block diagram to show, transverse axis in the exploded view is each assets, the longitudinal axis is corresponding value-at-risk, and by the line of demarcation longitudinal axis has been divided into extremely low, basic, normal, high, high five risk class.Each column is represented assets, and the height of column has been indicated the value-at-risk of this assets correspondence, and carries out mark with the different colours degree of depth.Service security situation map of the present invention and this assets security situation map are similar, and just transverse axis is unit with the business.

Referring to Figure 12, this figure also is the security postures figure that the security postures display module in the evaluating system of the present invention generates.Show the security risk change procedure of network, business, assets, and predict following safety trend.Broken line among the figure is formed by connecting by the security risk value of network, business or assets, and broken line graph can be represented network, business or assets intuitively along with the variation of time, the process that value-at-risk changes, and Dynamic Display is come out in real time.This module served as to read the security postures value in real time at interval with 30 seconds, and predicted safe trend according to the chaology Forecasting Methodology.

Claims

1, a kind of network safety situation evaluating system, it is characterized in that: described system is the two sides three-tier architecture, be provided with public service face and the system management face of each functional module in this system being carried out unified coordination and administration, and three levels that are divided into according to the business logic processing flow process: acquisition layer, analysis layer and presentation layer are used to finish four evaluation operation of assets, fragility, threat and security postures; Wherein:

2, network safety situation evaluating system according to claim 1, it is characterized in that: the three class sensor groups of gathering assets information, assets fragility and threat respectively of described acquisition layer setting, gather the Back ground Information of assets required in the risk assessment process, fragility and threat respectively, these sensor groups are deployed in respectively on the main frame or switch/router in the network, by scanning or monitor the data of obtaining based on main frame or network; The transducer that wherein is deployed in main frame is responsible for gathering main frame assets information and assets vulnerability information thereof; The transducer that is deployed on the switch/router is used for the collection network threat information;

3, network safety situation evaluating system according to claim 1, it is characterized in that: the function of each module in the described analysis layer is respectively:

The threat assessment module is used for according to threatening event database that the threat incident that collects is assessed, and the degree that network security is impacted according to the threat incident is composed with corresponding numerical value again; According to the difference of the fragility of assets, each threatens the assignment in the expert database that assignment utilizes also different;

The risk factors administration module, be responsible for the result after threat, fragility and the assets assessment is analyzed, extract the part that wherein network, business or assets is had harm, and will threaten related with the fragility work, the risk case that extraction may cause security threat to network calculates for the security postures evaluation module;

4, network safety situation evaluating system according to claim 1, it is characterized in that: described presentation layer comprises following functional module: the assets information display module of showing assets information, assets loaded service information and other important information of assets in the network; Show the network overall structure and on this topological diagram, represent the network topology display module of each assets security situation with intuitive manner with different color; Analyze assets fragility from many aspects and this fragility is carried out statistical analysis, and the fragility report display module that the fragility remedial measure is provided; Report display module to the threat that the suffered threat incident of network, business or main frame is showed; The network safety situation value is gathered, show the security postures display module of network safety situation in the multi-level mode of various visual angles; The threat incident is analysed in depth, excavated the incidence relation between the threat incident in the network, and predict the related display module of threat of new threat incident.

5, a kind of method that adopts the described network safety situation evaluating system assessment of claim 1 network safety situation, it is characterized in that: described network safety situation assessment is assessment and the prediction to network security risk situation, the overall operation of system Network Based comprises a plurality of different business, the operation of each business needs the support of a plurality of networked assets, and each networked asset can support the characteristics that a plurality of business operate simultaneously simultaneously, and the focus paid close attention to of people is the normal operation whether risk case in the network can influence each business; Therefore network risks is to be calculated by the weighting sum of each professional risk and its business importance, promptly is that security postures is analyzed and assessed at the center with the business; Described network security situation evaluating method is three kinds of different information of gathering earlier assets, fragility and threat respectively, calculates assets value according to assets information again, simultaneously vulnerability information and threat information is carried out real-time risk analysis; Extract the risk factors in the network then and it is managed; By the risk of assets, business and whole network in the association analysis computing network of historical data and security incident, obtain the general safety situation of network at last.

6, the method for assessment network safety situation according to claim 5 is characterized in that: described method comprises following operating procedure:

7, the method for assessment network safety situation according to claim 6 is characterized in that: described step (1) further comprises following operation:

8, the method for assessment network safety situation according to claim 6 is characterized in that: described step (2) further comprises following operation:

9, the method for assessment network safety situation according to claim 8 is characterized in that: in the described step (23), the operation of security postures evaluation module real-time assessment network safety situation further comprises following content:

(231) according to the computation model of asset risk: R _a=A * ∑ { T _x* V _y, in the formula, A is the value of assets a, T _xFor certain threat that threatens source and influence degree to give that suffers according to assets a is worth V _vBe certain fragility value that assets a is had, a, x, y are respectively the sequence numbers of assets, threat and fragility; Calculate each asset risk respectively;

(233) be the computation model of the weighting sum of each professional risk and the importance that each is professional wherein according to the security risk of whole network, calculate the network risks value of whole system: R _Total=∑ { C _i* R _i, in the formula, R _iBe the business risk value of certain professional i wherein, C _iBe the importance information assignment of certain professional i, i is each professional sequence number of moving in the network.

10, the method for assessment network safety situation according to claim 9, it is characterized in that: described asset risk is meant certain assets that exists in the network, the target that has fragility and a Cyberthreat when these assets is created in the weighting numerical value of the risk case on these assets during for these assets at the fragility of these assets;

Described network risks is meant in the whole network, at the assets of network, and the possibility of the risk case that the business of moving in the network takes place and the influence that may cause.